If I was Brenda's son I would find the information given in the comments to the answers useful in overcoming any security she might put in place. You are advising the hacker. Unbelievable! SplashHit, I do not mean you.
–
grahammechanicalNov 29 '11 at 13:59

This question is not about Ubuntu. It's about your computer's hardware or about Vista. If your son is using a toothpick to pick a lock, your problem is not with toothpicks, it's with your lock. (Or maybe this is a parenting question, really.)
–
GillesNov 29 '11 at 20:42

5

I was a Best Buy employee during the "Vista training" days preceding its grossly over-hyped release. The Microsoft training touted Vista as being a secure way to have secure parental control over your children's computer use. I mentioned that a Linux Live CD could bypass all of these measures. They didn't really have an answer for that, so I tried to keep my questions to myself beyond that point.
–
ZootNov 29 '11 at 20:47

6

At the risk of stating the obvious, confiscate the livecd and put blank cds in a locked cabinet. If he makes a USB install or finds some other way around it, sit down and talk with the kid. Pull the "I'm dissapointed in you" card.
–
WilliamNov 29 '11 at 23:00

A couple of fairly major issues exist here, which are really working against you:

Unless there's something you haven't mentioned, your son probably has relatively unrestricted physical access (in terms of actual security) to your system. I'll cover some mitigations you can put in place below.

It seems your son is lacking a certain respect for you and/or your rules regarding computer usage. If you'd like assistance with this, I'd point you to the Parenting Stack Exchange.

Regarding physical access to the computer:

As security compromises of a PC go, physical access is perhaps by far the worst kind. Once an attacker (in this case, your son) literally has their hands on your computer, most other security methods in place are easily circumvented. That said, here's what you can do to prevent or hinder these attacks from affecting your system.

Use strong passwords. Make them 15 characters long at minimum, and use all four character types (lowercase letters, uppercase letters, numbers, non-alphanumerics). Avoid using any dictionary words in any part of the password. You should also avoid using anything that would be common knowledge, like a pet or friend's name or someone's sports jersey number - this especially applies when the threat is coming from a family member, who would have intimate knowledge of such things that are dear to you. Lastly, do not write it down! This will help better secure any resources that are password-protected, although physical access to the system can bypass most password protections that do not use encryption. For protection against physical access, also see item 4.

Encrypt the hard drive. This will prevent any attacker from reading or manipulating the system files when booting into their own environment. This is the only measure that will generally survive an attack involving physical access to the system. Also, see item 1. While this will help ensure your data is not read or modified, it cannot prevent use of the system via boot disc (like your son is using) or attempts to intentionally destroy the data. See items 3 & 4 for that.

Lock down the BIOS and Boot Order. Set the system to only boot to the system drive, and set an Administrator password on the BIOS so that this cannot be changed. Optionally, you can also configure the BIOS to require a password at boot-time regardless of what boot media (CD, Hard Drive, Flash Drive, etc.) is going to be used. Also, see item 1. This will prevent your son from booting from a LiveCD, but it is reliant upon physical security to prevent bypass. See item 4, regarding this.

Physically secure the system case. If possible, lock the system's chassis with a padlock and/or place it in a secured cabinet. A chassis lock will hinder efforts to clear the BIOS password by using jumpers on the motherboard, and efforts to remove the hard drive for loading into another system. A secured cabinet will do that, and also hinder any attempts at plugging in or loading alternative boot media. More generally, you could also just lock the room the computer is in. For ideal security, and if you're really paranoid, do all of the above. This really should be at the core of your solution. Without this, your BIOS password can be easily bypassed and your son could boot from whatever disc he likes. At that point your data, if encrypted, may still be safe from being read or modified but it could still be destroyed either intentionally or accidentally.

Also, for the first part of your question:

Can this damage my computer or corrupt my files? (I have lots of pictures)

Using a boot disk generally does not pose any inherent risks to your system's integrity. However, at this point your data is at the mercy of whomever is at the keyboard. If the system can be booted from removable media, whole-disk encryption may protect the data from being read or modified but it cannot protect the hard drive from being completely wiped if the attacker intends to do so.

Your best defenses here would be to follow the steps above as far as they are practical for you, and make sure it is understood that your rules will be strictly enforced with stiff penalties.

I like encrypting the hard drive. I would go one step further and make the hard drive removeable, then take it with you or lock it in a secure physical storage container.
–
this.joshNov 30 '11 at 0:22

@this.josh That's great for preventing damage to the system. However, if the goal is to prevent any usage of the computer, the best way to address the problem here is through physical security and discipline.
–
IsziMar 4 '12 at 20:25

4

You shouldn't rely on you PC's harddisk (only) for your valuable pictures anyway. Make sure you have backups, eg. on an external USB disk.
–
jippieMar 29 '12 at 20:28

@jippie Good point, there. But there still is the overall issue of enforcing computer usage restrictions.
–
IsziMar 30 '12 at 20:12

Your "strict rules" aren't very strict if you can't enforce them. I would suggest, depending on the age of your son, that you start enforcing your rules by attaching consequences to breaking them. You might look at options such as taking away his allowance or driving privileges, taking away his cellphone (or not paying for his access), or grounding him. The problem is not a computer problem or even a security problem: the problem is behavioral, and if he refuses to obey you he clearly does not respect you. Unless this is a joke or a game, he is headed for trouble as he grows older.

Horrid, indeed! (As one who has worked in IT, I've seen that such "highly paid" jobs don't last long if one doesn't follow rules.)
–
KelleyNov 29 '11 at 20:00

5

Only the best know which rules are good rules, and only the good know enough to at least question the rules, always. "No linux" is not a good rule! I agree that kids should be responsible about computer time but it seems the problem is lack of respect/understanding from perhaps both parent and child in this situation.
–
Ben BrockaNov 29 '11 at 20:07

3

@Kelley... if someone highly skilled is running up against "rules" in the workplace, then it's probably because the "rules" are interfering with their ability to do the job (e.g. not providing or allowing the use of the best tools for the job)... these places are usually not the most "high paying" anyway... leave it for a saner and more high paying one
–
SplashHitNov 30 '11 at 13:09

Then he could reset the password on the BIOS by taking out the motherboard battery. (Or jumpering the right pins on the MB) If you have physical access to the computer, you will most likely be able to get into it one way or another.
–
AzendaleNov 29 '11 at 7:53

11

To be frank there is little that the OP can do when the son is using a livecd - the real issue is not technical in my opinion.
–
forestpiskieNov 29 '11 at 8:19

1

Wrinting to NTFS partition is not officially supported, so there is a slight chance that some files become corrupted. I used myself Ubuntu on its own partition, and attached the older NTFS partition so to access my files, and every month I somehow went back to Windows it wanted to check the disks and it always found some broken files.
–
karatedogNov 29 '11 at 12:37

4

@karatedog: I've been using NTFS partitions on Linux/Windows for a couple of years now and I never had any problems (and I both read and write to them).
–
EgonNov 29 '11 at 12:59

2

@karatedog - It hasn't been that way for several years. NTFS-3G went stable in 2007.
–
pdubsNov 30 '11 at 16:08

As others have mentioned, you can make it harder for your son to boot a live CD by using a BIOS password, boot order and so on. Using a BIOS password has the added advantage that if he does clear it you will know next time you start the computer.

If you need to make sure he can't look at your files on the computer then the only way to be certain of that is to use disk encryption (such as TrueCrypt).

I hope I don't sound flippant, but have you let your son know you are aware of what he does and you'd like it to stop?

An old quote from computer security professionals I know is, "Once someone has physical access to your computer, it is no longer your computer." If you do not want someone using your computer, I would suggest some kind of physical access control.

At the risk of stating the obvious, confiscate the livecd and put blank cds in a locked cabinet. If he does a USB drive install, talk to the kid. Pull the "I'm disapointed in you" card. You don't want the kid running around using the computer from a livecd and letting him get the impression it's okay. If he wants, he could format the hard drive and install Ubuntu, accidentally or otherwise, easy to do on a livecd. That would leave you with all your data gone and stuck with an unfamiliar operating system. You don't want to give your kid power like that. If the kid is this tech savvy, back up the computer. That will limit the damage that can be done. Put the computer in a locked cabinet is a good suggestion, do that. But its only a matter of time until your kid finds some other way around it. Talk to the kid and try to work something out, tell him that you are worried by him getting around the walls you've set up for him and that its only a matter of time before he messes something up and gets in trouble with the whole family. You also might want to consider getting a cheap refurbished computer for him as a Christmas of birthday gift. If he can mess up his own computer and learn the consequences of his actions self-sufficently, then he doesn't need to put all of your data and the computer at risk.

How about not allowing the kid on the computer. Solves all the problems, if they have homework, sit in the room with them. If you have to move the computer into the kitchen.
–
RamhoundDec 5 '11 at 17:11

No, a live cd, and a live sessions can't damage your computer. But on the other hand you should be aware of the fact that via a live cd of Ubuntu, with some knowlegde, your computer privacy and even your computer security is at risk.
But playing around with a live cd with good intentions, nothing is at risk.

A live CD can EASILY damage your computer,often in more ways than you could from a windows os.
–
Rory Alsop♦Mar 24 '12 at 23:15

1

@RoryAlsop To be clear, the LiveCD itself generally poses little to no risk to system integrity. It's how the LiveCD gets used (intentionally or accidentally) which can cause issues. Sort of a "Guns don't kill people - people kill people" thing.
–
IsziMar 29 '12 at 17:34

sounds like your son is more tech-savvy than you ... not a good position to be in.

you have various options, ranging from simple to relatively complicated (also varying in effectiveness). before we begin, pls note that there are several reasons you should be slightly alarmed at the easy access yoru son has to your system. whether the ubuntu CD corrupts your system or not (i suspect it won't, but ya never know), if he is able to get admin access, he can then boot the machine, log in as administrator, & do whatever the hell he wants (eg, install questionable software). he might even install malware (by accident or otherwise), due to curiosity, desire to retain admin rights (i.e., backdoor of some sort), or some other motivation.

the "best" solution really depends on a lot of factors, so to maintain brevity, I'll give the "best" answer from a comprehensive standpoint: use FDE software like BitLocker, TrueCrypt, or whatever, to encrypt entire disk, requiring authentication to boot. If BitLocker, enable TPM in BIOS. Set primary HDD as first device in boot sequence. Password protect BIOS.

the advantage of above is it protects more than just your son running circles around you from a security standpoint. It also protects all your data in the event your machine is stolen (a nice bonus).

also:

talk to your son & advise him that he betrayed your trust. then, create a non-admin account for him to use, and give him a second chance. see what you did there? you've told him that his behavior was bad, but then entrusted him your machine to use responsibly, making him a stakeholder in the security of your machine (as he presumably won't want to betray your trust a second time). the good thing is the account is limited, acting as a sandbox of other user accounts, the operating system files, etc. (note: only do this if this is your machine, not your employer's). if done properly, this won't discourage his curiosity, will make him more responsible, making it a "win-win" scenario.

You can set the BIOS to not boot from CD and put a password on it, but he will still be able to reset BIOS if he has physical access. If he boots into a livecd, he can practically do anything to the files if your drive(s) are not encrypted. Figuratively speaking, you can't ever completely restrict his access to the computer, but there are many things you can do, like stated above.

You ever watch Ferris Bueller's Day Off? "nuff said. Kids are kids, they do stuff.

With that being said, the issue is your enforcement of your rules under your
own authority.

On the other hand, got to admit that your kid sounds pretty smart and resourceful and came up with a creative solution to gain his computer access - kinda like something I would have done back in the day. lol - in fact I did. Back in my day the computer was an IBM PC XT and I figured out a low-tek way to gain access to the BBS boards on dial-up - I went to the local hardware supply store at the age of 13 and purchased an extra long telephone cord and used that to connect the phone line from kitchen all of the way into the living room and sneaked the internet using free AOL dialup time cards.

Have you sat down and discussed with your kid as a family what his intentions are in utilizing a live-cd to bypass any current restrictions placed on the computer? Have you set clear boundaries with constructive and consistent positive reinforcement methods for behavioral modification? (negative reinforcement ie punishment is less effective than positive reinforcement - give incentives that reward acceptable behavior within social norms.)

Restrict physical access by removing a key piece of hardware like the power-cord and keyboard. Remove the CD-ROM drive from the computer (do you really need access to it) and disable the USB boot and CD-ROM boot in the BIOS and password the BIOS. See if that effectively solves your problem and monitor the situation.

You could also resort to relocating the computer to a more public or private arena of the house, depending on what would be more effective. Use a "nanny cam" scenario that secretly records any future computer usage may also give you some peace of mind.

You could remove the power cable to the computer and unplug the router, severing power to the computer and access to the Internet. This would limit the child's use of the computer unless they figured out that a replacement power cable costs a couple dollars, which they could use to restore power and connectivity.

It appears that any technical barriers that you put up may be circumvented faster than you can implement new ones.

Any further advice would wander into the realm of parenting advice. This isn't really about the computer. It sounds like it's about trust and boundaries.

I don't know about in the USA, but in the UK there are many devices in an average household that take the same IEC power cable as a computer.
–
rjmunroNov 29 '11 at 22:09

1

the first idea is ill-advised (it'll just encourage him to do it again), though I guess the 2nd paragraph acknowledges that point. the last para (regarding trust/boundaries) is a good point & lies at the crux of all this.
–
GarrettDec 1 '11 at 22:21

I realize this thread is a little old but I'd like to toss in a couple suggestions. The comments about configuring the boot order in BIOS so that the computer will not boot from CD/DVD or USB are right on. So is the suggestion to password protect the BIOS. I would add that if your BIOS has the option, turn on the Chassis Intrusion feature which will alert you if the covers have been taken off of the computer.

Regarding the encryption of files and the disk, if you are using a Professional version of Windows then you can use EFS to encrypt files, however you need an Ultimate version to encrypt the whole disk. The other options, as mentioned, are PGP or Trucrypt. The danger is that you might lose access to the files yourself. In the case of EFS and BitLocker(Windows Vista and 7 ultimate) you will be provided a key for the encryption. Save the key somewhere besides your computer. Burn it to a CD or use a USB. The reason is that EFS and Bitlocker are tied to your password. If your son happens to reset your password then he will cause all of your encrypted files to be inaccessible.

As far as allowing this behavior...violating the security of a protected computer, which is essentially ANY computer, is a felony offense. While this may not apply to a computer in your house it will apply to any other computer. A felony offense will prevent him from ever having a computer job and any other well paying job. There are many juvenile hackers who have discovered this. Schools are becoming much more proactive at detecting and preventing this kind of behavior. My point is, you are helping him by preventing this behavior, not harming his creative abilities. There are ways to learn Ethical Hacking that are legit but if he has had problems with law enforcement he may not be accepted into a college IT program.

I would suggest that you install Oracle VirtualBox. It's completely free, and in my opinion one of the most amazing bits of software out there. Your son can then freely install Ubuntu (or pretty much any other operating system that will run on a PC) as a Virtual Machine (VM), which is then run from within Windows. It's very easy to install and configure.

I use it at work, as the corporate Operating System is Windows XP, but I do all my work in Linux, and it saves me the bother of setting up dual boot or whatever. It runs smootly (I would say with no noticable slowdown) on my fairly standard dual core Toshiba notebook.

This doesn't completely stop him from being able to break Windows, but it should make it a whole lot less likely!

You're completely missing the key part of Brenda's problem. It's not that her son is using linux per se; but that he's using the computer when he's not supposed to be doing so. Using a VM only addresses the minor risk of a mistake/bug trashing the primary OS.
–
Dan NeelyNov 29 '11 at 19:42

1

@DanNeely Well, it also addresses the risk of forming a resentment as a young linux enthusiast is forbidden from using linux for no good reason. Alternatively, they could go with any of the suggested hardware solutions for limiting computer time (i.e. take away the cord, or lock the room) and then abandon the idea of enforcing usage time through software.
–
Random832Dec 1 '11 at 15:13

I would guess we're not talking about a local game, as there are few that would work on Windows and *nix.

There are the time limits, but I ask again what is the purpose of the time limits - so I guess we're really talking about limiting time on the internet and/or access to certain websites.

Working on that assumption (I know, the problem with assumptions...) You could do a lot of the access controls already mentione. (I do like Iszi's suggestions best), but maybe the issue is that we're not looking at the right level to add controls.

If your end goal is to limit access to the internet in general and/or certain specific sites, you may want to move up to your router's access controls and/or use a different DNS service like OpenDNS.

Most modern routers will let you enforce time limits and access restrictions based on the MAC address. This way it's based on the NIC and it doesn't matter what he boots into. There is one little footnote I should add to this option - it is possible to spoof the MAC address. Ok, there are two footnotes I should add - he could log into the router if you do not have a good password in place. For the first footnote, there are other questions that cover that issue in more depth than I have the skill to cover. As to the latter, look at Steve Gibson's Password Haystacks page and listen to the linked podcast.

Services like OpenDNS (I only mention that one in particular because that is the one I am familiar with) will let you enforce content filtering at the DNS level. Your child would have to know how to manually set up an alternate DNS to bypass that. Not impossible, but more effort than booting up a Live CD.

Even after implementing one or both of the above suggestions, you still need to look at the parenting end of this issue. (again, back to Iszi's answer) There is no such thing as a hack-proof system - any security one person can set up, another can find a way around given time and access.

what does this have to do w/ the original question?
–
GarrettDec 5 '11 at 21:47

@Garrett - His child was using a live CD to bypass "restrictions" set in Vista. If the "restrictions" are internet-related (we don't know, but it is a reasonable guess) then placing the restrictions in a different place would be easier than trying the PC level solutions already offered. (Parenting issues/solutions not withstanding)
–
AnonJrDec 6 '11 at 13:41

These suggestions aren't that bad, but are also probably more trouble than they're worth. Firstly, they're easily bypassed. Just push and hold that little red button on the back of the router. Unless the parents are checking regularly, or there's other essential services they've configured the router to provide, I'm sure a reset to factory defaults would most likely go unnoticed. Additionally, if the PC is shared among the parents & child, this imposes the same restrictions on the parents as well unless they manually re-configure the router every time they want to use the system.
–
IsziMar 29 '12 at 17:29

@Iszi - when it comes right down to it, with a little research all of the above can be easily bypassed when we assume the child has as much technical knowledge as we do (which may or may not be an appropriate assumption, just pointing out that we tend to project our own level of knowledge on the problems we solve). When it comes down to it, the physical access is the key limiting factor in all of this. With physical access an amazing number of security precautions can be bypassed.
–
AnonJrApr 10 '12 at 14:43

@AnonJr My point is, the router solution adds much less value than hassle. Other solutions are not so easily bypassable (or, if bypassed, are generally easily noticeable) and don't provide too much inconvenience.
–
IsziApr 10 '12 at 15:24

If I was your son, the ONLY way to prevent booting from a DVD is to physically remove the drive. (google DVD drive replacement and your laptop's model number. It's usually just a few screws to get to it and takes about 30 seconds. Keep the drive in your car locked and check it daily, or just leave at your office)

Even if you put a BIOS password on it I would clear it.

The only other issue with this is the USB ports/SD Card slot.

If he was to create a USB bootable drive he would still be able to boot that, however you would physically see the USB drive plugged in, OR he could do the same thing on an SD card which you would have to physically look into the SD card slot.

Regardless of disk encrypting and attempts of physical security it sounds like your son is already one of us (security minded engineer) since physical access is the killer to all security measures you may want to just buy a cheap computer or laptop off of craigslist or ebay and have it be theirs. To limit time on their machine, take the power cord (and battery as well if a laptop) when you don't want them using the machine.

If you want to limit what they can access online then buy a decent router and block traffic on that level. Change the password to administer the router to something EXTREMELY random like "!S!@$#wf¥V║e@f#f3#$f3" and check every week that he didn't reset the router back to defaults to overcome this. (If I was your son I might just leech access off of one of the neighbors, so again there is a way around almost everything.) to get really secure on online access pull their wifi card so they have to be physically connected with the onboard network card and keep an eye open for a USB wifi adapter that he might sneak on onto it to try to bypass that security measure.

Depending on your son's age and moral values he has the potential to become a good producer in a modern society, please don't hold them back since most introverts tend to hold a grudge he will remember how you treat him on this issue. Give them their own computer and chances are if he's that bright with electronics have them help find and buy a broken system (together) for pennies on the dollar and rebuild it, your son might just suprise you and start a side business repairing machines while hopefully staying out of trouble.

good luck, and I hope my son (who is 2 years old right now) grows up to become like your son, which is coincidently similar to how I grew up.

By the way, when I was grounded as a kid the only way my parents could keep me off my computer was to take ALL of the cords, since I bought a few spare cords as well I would still bypass this security measure in the middle of the night or when I knew that they would be working late. Point being, with physical access all bets are off on security, it's only a matter of time to bypass it.

My apologies that I have talked about getting around every single security measure, I do this so that you don't have false hopes on keeping them out. Working in I.T.Sec isn't for everyone since it takes a certain deductive reasoning mindset, point being nothing is truly impenetrable. I'm just being accurate. And if your son had his own laptop you could always take it away from him (or if you are really upset shoot it like that father did on youtube http://youtu.be/kl1ujzRidmU )

It seems here like you are berating the parent for even trying to enforce what are presumably reasonable restrictions within their own household. There's really more detail in here about how the restrictions could be bypassed, than how they should be enforced. Please re-write your answer so that it focuses more on how the problem should be resolved instead of how hopeless a situation you think it is.
–
IsziMar 30 '12 at 18:04

Please re-read the part about buy a computer just for hteir son. Since he would have his own computer to use it would help deter getting on his parents. On a laptop with no power cord or battery it simply won't turn on. This may seem extreme to some but if I was 14 again it would be the ONLY thing that would keep me off the computer. Besides, batteries locally won't be cheap from a retail store so it's another obsticle to prevent and deter access. If I only write about enforcing security, that would only provide a false sense of security until he breaks past it. I always did when I was a kid.
–
BradMar 30 '12 at 18:15

As I read it, the problem isn't just about the son getting on the parent's computer in general. It's about him getting on it when he's not supposed to (i.e.: during bedtime or privilege suspension). Getting him his own computer won't help anything - in fact, it may just exacerbate the issue. The other good answers here do provide appropriate disclaimers about the effectiveness of the given security options without overtly bragging about how many ways there are around them. (Also, they're generally formatted to be much more readable.)
–
IsziMar 30 '12 at 20:02

Get the kid a laptop and take away his battery and power cord based on the schedule that you would allow and not allow him to use the computer.
–
BradApr 2 '12 at 17:29

Most home routers support time of day restrictions. This should remove most of the incentive to boot the LiveCD until you at least got home from work. If you're using PPPoE he won't be able to circumvent it without actually breaking into the router itself... which is a lot trickier than using an Ubuntu CD.

You could also lock down the PC, but it depends how techie you are. Physically lock the case, put a bios password on the machine, remove the CD, USB and network from the boot sequence. It's not foolproof, but he'd have to pick the lock and blow away your password to be able to boot the machine. The loss of your password would be evidence that he'd been breaking the rules.

Well, as there were several good solutions given already, I would suggest some of the more-time-taking securities. Remove your cd-rom and/or usb port connections. Though this can be bypassed as your son can bring his own cd-rom.

Also, in many cases the rear panel USB ports are directly soldered onto the motherboard, and may be hard to disable without risking permanent damage. Besides, how would you use your USB mouse and keyboard without them? :)
–
Ilmari KaronenNov 29 '11 at 14:07

2

can't disagree more. there are less painful solutions that work better & that simultaneously encourage rather than discourage the child.
–
GarrettDec 1 '11 at 22:25